ASA 5505 to 2811 router configuration issue

My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?

I bought some old network gear for a lab and now trying to set it up with a connection to my Comcast modem. I have a business class modem in bridged mode 0/0 - Global IP (Vlan2) 0/1 - 192.168.1.1 (Vlan10). DHCP is used on this device. Static route 0.0.0.0 0.0.0.0 (Global IP Gateway). Router EIGRP 90 (network 172.16.100.0 0.0.0.255)

Connected to port 0/1 of the 5505 is a Cisco 2811 Router Port 0/0 is assigned 192.168.1.254. Port 0/1 is assigned 172.16.100.1 Static Route of 0.0.0.0 0.0.0.0 192.168.1.1

Connected to port 0/1 of the 2811 is a Cisco 3550

See configs below

My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?

Cisco 2811

interface FastEthernet0/0
ip address 192.168.1.254 255.255.255.0
duplex full
speed auto
no mop enabled
!
interface FastEthernet0/1
ip address 172.16.100.1 255.255.255.0
duplex auto
speed auto
!
interface Serial0/0/0
no ip address
shutdown
!
router eigrp 90
network 172.16.100.0 0.0.0.255
!
ip forward-protocol nd
!
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 192.168.1.1

Cisco 3550
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname Corp3550
!
!
username admin privilege 15 secret 5 $1$2wiI$fG1Ywcao.75bbnacN.REI0
!
!
no aaa new-model
clock timezone EST -5
clock summer-time EDT recurring
authentication mac-move permit
mls qos
ip subnet-zero
ip routing
!
!
spanning-tree mode pvst
spanning-tree etherchannel guard misconfig
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface FastEthernet0/1
description Edge Port to Corp-2811
switchport access vlan 25
switchport mode access
spanning-tree portfast
spanning-tree bpduguard enable
!
interface Vlan1
ip address dhcp ip address shutdown
!
interface Vlan10
description Vuepc Server Network
ip address 192.168.100.1 255.255.255.0
ip helper-address 192.168.100.3
!
interface Vlan25
description Transit Network
ip address 172.16.100.254 255.255.255.0
!
interface Vlan35
description Management Network
ip address 192.168.102.1 255.255.255.0
!
router eigrp 90
network 172.16.100.0 0.0.0.255
network 192.168.20.0
network 192.168.100.0
network 192.168.101.0
network 192.168.102.0
eigrp stub connected summary
!
ip classless
ip route 0.0.0.0 0.0.0.0 172.16.100.1
ip route 0.0.0.0 0.0.0.0 192.168.1.1 254
ip http server
ip http authentication local
!
ip radius source-interface Vlan10
!
ip sla enable reaction-alerts
!
control-plane

routing cisco-asa
NtHawk101Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Don JohnstonInstructorCommented:
My issue is I can traceroute from the 3550 and only get as far as 172.16.100.1 If I traceroute on the 2811 to outside, I can get anywhere I want. This would seem to lead me to believe there is an issue on the 2811 router. What am I missing? Is DHCP an issue on the 5505?

Is it just traceroute that stops at the 2811?  Or is all traffic from inside of the 2811 unable to get out?

Based on the information provided, I'm going to guess that the ASA is either not allowing either the returning traceroute messages to the network inside of the 2811, or it's not configured to allow any traffic from those networks or the ASA does not have a route to those inner networks.
0
NtHawk101Author Commented:
I was assuming the FW wouldn't be blocking since I can traceroute from the 2811. It's the 3550 which doesn't which is behind the 2811.
0
Don JohnstonInstructorCommented:
Yes, I know.  But the 3550 will be sourcing the traffic from 172.16.100.254 while the 2811 will be sourcing from 192.168.1.254.  Which are completely different networks. To test this, you could do a traceroute from the 2811 but specify the source address as 172.16.100.1.   While not absolutely conclusive, it is another data point.

A better data point are the answers my previous questions.  ;-)
1
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

NtHawk101Author Commented:
so if I understand right, you want me to traceroute from the 2811 which is the 172.16.100.1 using that IP.
i.e. - traceroute 172.16.100.1 which of course comes back as seeing itself and quits
0
NtHawk101Author Commented:
Disregard my last comment. After looking again I realized what you meant. Will check that when I get back to my desk.
0
Don JohnstonInstructorCommented:
No. Traceroute to whatever you were going to before.  But specify 172.16.100.1 as the source, not the destination.

Are you not going to answer my questions?  Because without that information, I'm firing blind and just making guesses.
0
NtHawk101Author Commented:
using traceroute as requested went no where.
I've tried tracert from a windows machine that I placed in the management vlan (35) and was able to get to 192.168.102.1 and then 172.16.100.1 but no further
Looking at the FW config, I believe it needs to have icmp allowed in. In the logs of the FW, I see source (Public Gateway IP) to (Public Global IP) assigned to the FW getting denied
0
Don JohnstonInstructorCommented:
In the logs of the FW, I see source (Public Gateway IP) to (Public Global IP) assigned to the FW getting denied
Just as I suspected.
0
NtHawk101Author Commented:
well....after trying to follow along on a website on how to allow traceroute, I'm still having issues. Here is my FW config:

ASA Version 8.2(1)
!
hostname V***-ASA1
domain-name V***.com
enable password WsI18bVFQZP/a1Me encrypted
passwd WsI18bVFQZP/a1Me encrypted
names
!
interface Vlan1
 no nameif
 no security-level
 no ip address
 Shutdown
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248
!
interface Vlan5
 nameif DMZ
 security-level 50
 ip address 172.16.1.1 255.255.255.0
!
interface Vlan12
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0
 description Comcast
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 switchport access vlan 12
!
interface Ethernet0/5
 description DMZ
 switchport access vlan 5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
banner motd
banner motd +----------------------------+
banner motd ||
banner motd |***Unauthorized Use or Access Prohibited***|
banner motd ||
banner motd |For Authorized Official Use Only|
banner motd |You must have explicit permission to access or |
banner motd |configure this device. All activities performed |
banner motd |on this device may be logged, and violations of |
banner motd |this policy may result in disciplinary action, and |
banner motd |may be reported to law enforcement authorities. |
banner motd ||
banner motd |There is no right to privacy on this device. |
banner motd ||
banner motd +----------------------------+
banner motd
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DEFAULTDNS
 domain-name V***.com
dns server-group DefaultDNS
 domain-name V***.com
object-group icmp-type DEFAULTICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list acl_outside extended permit icmp any any object-group DEFAULTICMP
access-list acl_outside extended permit icmp any any object-group DM_INLINE_ICMP_1
access-list inside_access_in extended permit ip any any
access-list inside_access_in extended permit icmp any any traceroute
access-list inside_access_in extended permit icmp any any unreachable
access-list inside_access_in extended permit icmp any any time-exceeded
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain v***.com
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map class_default
class-map inspection_default
 match default-inspection-traffic
class-map inside-policy
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny  
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip  
  inspect xdmcp
  inspect icmp
  inspect icmp error
policy-map inside-policy
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:55a6c66cb13b283f88f5bc7dba5bb6fc
: end
0
Don JohnstonInstructorCommented:
thats not your problem.  The problem is that you only have NAT configured for the 192.168.1.0 network.  Add a NAT statement for the 172.161.0.0 networks.
0
NtHawk101Author Commented:
I don't have enough experience yet with using NAT. Are you stating I need a dynamic nat rule exactly like the 192.168.1.0 rule is? I've added that and still no change
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@NtHawk101,

You have to add the below line

nat (inside) 1 172.16.1.0 255.255.255.0

If that's not working,  can you post the updated config here

Thanks
0
Don JohnstonInstructorCommented:
Please post the current config of the ASA (and use the "code" feature when you post it here).
0
NtHawk101Author Commented:
Here you go. The line I added was exactly what you stated it should be

ASA Version 8.2(1) 
!
hostname -ASA1
domain-name Vuepc.com
enable password WsI18bVFQZP/a1Me encrypted
passwd WsI18bVFQZP/a1Me encrypted
names
!
interface Vlan1
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248 
!
interface Vlan5
 nameif DMZ
 security-level 50
 ip address 172.16.1.1 255.255.255.0 
!
interface Vlan12
 nameif inside
 security-level 100
 ip address 192.168.1.1 255.255.255.0 
!
interface Ethernet0/0
 description Comcast
 switchport access vlan 2
!
interface Ethernet0/1
 switchport access vlan 12
!
interface Ethernet0/2
 switchport access vlan 12
!
interface Ethernet0/3
 switchport access vlan 12
!
interface Ethernet0/4
 switchport access vlan 12
!
interface Ethernet0/5
 description DMZ
 switchport access vlan 5
!
interface Ethernet0/6
 switchport access vlan 12
!
interface Ethernet0/7
 switchport access vlan 12
!
banner motd 
banner motd +----------------------------+
banner motd ||
banner motd |***Unauthorized Use or Access Prohibited***|
banner motd ||
banner motd |For Authorized Official Use Only|
banner motd |You must have explicit permission to access or |
banner motd |configure this device. All activities performed |
banner motd |on this device may be logged, and violations of |
banner motd |this policy may result in disciplinary action, and |
banner motd |may be reported to law enforcement authorities. |
banner motd ||
banner motd |There is no right to privacy on this device. |
banner motd ||
banner motd +----------------------------+
banner motd 
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DEFAULTDNS
 domain-name .com
dns server-group DefaultDNS
 domain-name V.com
object-group icmp-type DEFAULTICMP
 description Default ICMP Types permitted
 icmp-object echo-reply
 icmp-object unreachable
 icmp-object time-exceeded
object-group icmp-type DM_INLINE_ICMP_1
 icmp-object time-exceeded
 icmp-object traceroute
 icmp-object unreachable
access-list acl_outside extended permit icmp any any object-group DEFAULTICMP 
access-list acl_outside extended permit icmp any any object-group DM_INLINE_ICMP_1 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit icmp any any traceroute 
access-list inside_access_in extended permit icmp any any unreachable 
access-list inside_access_in extended permit icmp any any time-exceeded 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu DMZ 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 172.16.100.0 255.255.255.0
nat (inside) 1 192.168.1.0 255.255.255.0
access-group inside_access_in in interface inside
access-group inside_access_in in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 192.168.1.0 255.255.255.0 inside
ssh timeout 5
console timeout 0
dhcpd dns 75.75.75.75 75.75.76.76
dhcpd lease 691200
dhcpd ping_timeout 750
dhcpd domain vuepc.com
!
dhcpd address 192.168.1.10-192.168.1.254 inside
dhcpd enable inside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
!
class-map class_default
class-map inspection_default
 match default-inspection-traffic
class-map inside-policy
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
  inspect icmp 
  inspect icmp error 
policy-map inside-policy
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:504cefd0ff49292bda6d6ea65ebd9fbf
: end

Open in new window

0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
found it..

we need to mention the correct nameif interface

delete the line and add like below

nat (DMZ) 1 172.16.1.0 255.255.255.0
0
Don JohnstonInstructorCommented:
Still waiting for the answers to my questions though.

Is it just traceroute that stops at the 2811?
Or is all traffic from inside of the 2811 unable to get out?
0
NtHawk101Author Commented:
still no luck....will post config when I get to the office. Have to get to work.
0
Don JohnstonInstructorCommented:
we need to mention the correct nameif interface
No... The traffic in question is coming from 172.16.100.0/24.  That network is sourced on the "inside" interface.
0
NtHawk101Author Commented:
that's what I was wondering....didn't make sense to me that suddenly we're talking DMZ and 172.16.1.1 when we're dealing with 172.16.100.0 networks but hey, am so frustrated am willing to try anything once ...lol

So I've deleted that NAT rule.....the config would be back to the same as above.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@NtHawk101,

I have overlooked the network. sorry. I do noticed that, you dont have any back route on the ASA to reach 172.16.100.x

SO, here are the final config you need to add in ASA

nat(inside) 1 172.16.100.0 255.255.255.0
route inside 172.16.100.0 255.255.255.0 192.168.1.254

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Don JohnstonInstructorCommented:
Yep. There's no route to the 172.16.100.0 network.

Sure would have been nice to know that it was all traffic as opposed to just ICMP.
0
NtHawk101Author Commented:
Those changes would seem to be working as I can now traceroute from the FW back in to 192.168.1.254 and then 172.16.100.254. Thank you! Thank you!

@DonJohnston,
Sorry but since this is the beginning of a lab, there really isn't any traffic yet and why I was using traceroute to verify everything before putting other traffic on the network. I do have to thank you though for pointing the finger at the FW as I would not have thought that was the problem.
0
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
@NtHawk101  - Nice to know that, its working

But i would like to tell you that, you are using very old version of ASA IOS. Try to upgrade to the latest and try to explore many option in ASA

Thanks
0
NtHawk101Author Commented:
Right, knew it was but seems you need to have special access on Cisco's site to have rights to download. Just a generic account there doesn't work.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.